When an AIX or Linux server with CYBERARK is joined to the AD domain, CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine. It gets mangled to ’s?u’. This only happens after the machine is joined to AD via adclient.
Applies to: All Centrify Direct Control versions.
Problem: When an AIX or Linux server with Cyberark is joined to the AD domain, CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine. It gets mangled to ’s?u’. This only happens after the machine is joined to AD via adclient.
Background:
CPM ( Central Password Manager ) is required to mimic what Cyber Ark does. Without using a CPM, it will be almost impossible to imitate CPM functionality. CyberArk uses "expect" to interact with the servers, and the expect script gets confused when presented with numerous "#" characters, and seems to think it's seeing a root prompt when it's not. The CyberArk Group Policy is used to force a "banner", telling people to remember to use their AD passwords, This banner included a border of octothorpes. This confuses Cyberark's expect script, but because this is setup only on the Centrify connected servers, the issue is only seen on Centrified systems.
Resolution: The root cause of the issue was the unique login banner text on Centrify-enabled systems.
Change the Group Policy to not use the "###" border in the banner.
This will allow Cyberark's expect script for Central Password Manager to function correctly.